b'     DEPARTMENT OF HOMELAND SECURITY\n\n      Of\xef\xac\x81ce of Inspector General\n\n\n        DHS Needs to Strengthen Controls For\n        Remote Access to Its Systems and Data\n                    (Redacted)\n\n\n\n\nNotice: The Department of Homeland Security, Of\xef\xac\x81ce of the Inspector General, has redacted\nthis report for public release under the Freedom of Information Act, 5 U.S.C. \xc2\xa7 552 (b)(2).\n\n\n\n\n     Of\xef\xac\x81ce of Information Technology\nOIG-05-03                                      November 2004\n\x0c\x0c                                                                  Of\xef\xac\x81ce of Inspector General\n\n                                                                  U.S. Department of Homeland Security\n                                                                  Washington, DC 20528\n\n\n\n\n                                            Preface\n\nThe Department of Homeland Security (DHS) Of\xef\xac\x81ce of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, investigative, and special\nreports prepared by the OIG as part of its DHS oversight responsibility to identify and prevent\nfraud, waste, abuse, and mismanagement.\n\nThis report assesses the strengths and weaknesses of controls over remote access to DHS\nresources. It is based on interviews with employees and of\xef\xac\x81cials of relevant agencies and\ninstitutions, direct observations, technical scans, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to the OIG,\nand have been discussed in draft with those responsible for implementation. It is my hope that\nthis report will result in more effective, ef\xef\xac\x81cient, and economical operations. I express my\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                            Clark Kent Ervin\n                                            Inspector General\n\x0c\x0c                                                                                                                       Contents\n\n\n     Introduction ...............................................................................................................................3\n\n     Results in Brief .........................................................................................................................4\n\n     Background ...............................................................................................................................5\n\n     Findings ....................................................................................................................................6\n\n         Remote Access Security Procedures Have Not Been Fully Developed And Implemented . 6\n\n        Remote Access Hosts Are Vulnerable....................................................................................9\n\n        Miscellaneous Issue .............................................................................................................15\n\n     Recommendations ....................................................................................................................15\n\n     Management Comments And Our Evaluation .........................................................................16\n\n\nAppendices\n\n  Appendix A:              Purpose, Scope, and Methodology.................................................................                    18\n  Appendix B:              Management\xe2\x80\x99s Response................................................................................               20\n  Appendix C:              User Administration Processes ......................................................................                22\n  Appendix D:              Account Policy Settings .................................................................................           23\n  Appendix E:              Vulnerabilities Identi\xef\xac\x81ed ................................................................................          25\n  Appendix F:              Major Contributors to This Report ................................................................                  26\n  Appendix G:              Report Distribution ........................................................................................        27\n\n\nAbbreviations\n\n  ATL                            Advanced Technology Laboratory\n  CIO                            Chief Information Of\xef\xac\x81cer\n  CIS                            Bureau of Citizenship and Immigration Services\n  DHS                            Department of Homeland Security\n\n\n\n                            DHS Needs to Strengthen Controls For Remote Access                                                                 Page 1\n\x0cContents\n\n   DHS Handbook     DHS Sensitive Systems Handbook\n   DHS Management   DHS Management Directorate\n   EP&R             Emergency Preparedness and Response Directorate\n   FISMA            Federal Information Security Management Act of 2002\n   FISCAM           Federal Information System Controls Audit Manual\n   GAO              Government Accountability Of\xef\xac\x81ce\n   ICE              Bureau of Immigration and Customs Enforcement\n   ID               Identi\xef\xac\x81cation\n   ISS              Internet Security Systems\n   ISSO             Information Systems Security Of\xef\xac\x81cer\n   NIST             National Institute of Standards and Technology\n   NSA              National Security Agency\n   NT               Windows New Technology (Microsoft)\n   OIG              Of\xef\xac\x81ce of Inspector General\n   SP               Special Publication\n   TSA              Transportation Security Administration\n\n\n\n\nPage 2                         DHS Needs to Strengthen Controls For Remote Access\n\x0cOIG\nDepartment of Homeland Security\nOf\xef\xac\x81ce of Inspector General\n\n\n    Introduction\n                                 The Of\xef\xac\x81ce of Inspector General (OIG) audited the security program of the\n                                 Department of Homeland Security (DHS) and its components1 to control remote\n                                 access to DHS networks. Insofar as remote access capabilities can signi\xef\xac\x81cantly\n                                 increase security risks to its networks, DHS must ensure strong security controls\n                                 over remote access and dial-in capabilities.\n\n                                 Our objective was to determine whether DHS had provided system security,\n                                 integrity, and control over remote access to its computer systems and data. The\n                                 audit focused on wire based remote access to DHS systems and resources,\n                                 including dial-in access through modems and access through the Internet.\n\n                                 We interviewed DHS of\xef\xac\x81cials, reviewed remote access policy and procedure\n                                 documents, and performed technical scans of 53 remote access hosts.2\n                                 Additionally, we analyzed password strength and account policy settings and\n                                 performed modem discovery tests on 2,868 analog phone lines.\n\n                                 To perform these tests, we used three commercial, off-the-shelf products:\n                                 Internet Security Systems\xe2\x80\x99 (ISS) Internet Scanner 7.0, @stake\xe2\x80\x99s L0phtCrack\n                                 5.02, and Sandstorm Enterprises\xe2\x80\x99 PhoneSweep 4.0. Upon completion of the\n                                 tests, we provided each component with technical reports detailing the speci\xef\xac\x81c\n                                 vulnerabilities detected on their networks and the actions needed for remediation.\n\n                                 Fieldwork was conducted from April through August 2004 at DHS\xe2\x80\x99 Of\xef\xac\x81ce of\n                                 the Chief Information Of\xef\xac\x81cer (CIO), \xef\xac\x81ve DHS components, and the OIG\xe2\x80\x99s\n                                 Advanced Technology Laboratory (ATL).3 See Appendix A for purpose, scope,\n                                 and methodology.\n\n\n    1\n      DHS \xe2\x80\x9ccomponents\xe2\x80\x9d are de\xef\xac\x81ned as directorates, including organizational elements and bureaus, and critical agencies.\n    2\n      In this report we used the term \xe2\x80\x9chost(s)\xe2\x80\x9d to refer to those servers and devices providing remote access capabilities, including Microsoft\n    Windows New Technology (NT) and Windows 2000 domain controllers, Microsoft Exchange Servers, Cisco Systems Access Servers, and\n    virtual private network concentrators.\n    3\n      The ATL supports DHS OIG\xe2\x80\x99s capability to perform effective and ef\xef\xac\x81cient technical assessments of DHS information systems and\n    diverse operating environments. The ATL is a collection of hardware and software that allows the simulation, testing, and evaluation of the\n    computing environments that are most commonly used within DHS.\n\n\n                                  DHS Needs to Strengthen Controls For Remote Access                                                   Page 3\n\x0cResults in Brief\n                             DHS does not provide adequate or effective system security controls over remote\n                             access to its computer systems and data. While DHS has established policy\n                             governing remote access, and has developed procedures for granting, monitoring,\n                             and removing user access, these guidelines have not been fully implemented by\n                             the components because they are still developing processes or they are waiting to\n                             obtain automated tools to assist them in performing these functions. Further, DHS\n                             has not established con\xef\xac\x81guration guidelines for the hosts providing remote access\n                             to its networks.\n\n                             In addition, DHS components have not established effective system controls\n                             on remote access. Speci\xef\xac\x81cally: (1) remote access hosts do not provide strong\n                             protection against unauthorized access; (2) systems were not appropriately\n                             patched;4 and (3) modems that may be unauthorized were detected on DHS\n                             networks. Due to these remote access exposures, there is an increased risk that\n                             unauthorized people could gain access to DHS networks and compromise the\n                             con\xef\xac\x81dentiality, integrity, and availability of sensitive information systems and\n                             resources.\n\n                             Subsequent to the completion of our audit work, of\xef\xac\x81cials from each of the\n                             components said that they had taken or planned corrective action to address many\n                             of the vulnerabilities identi\xef\xac\x81ed in our review. However, we did not verify that the\n                             problems had been resolved.\n\n                             Our report includes three recommendations that will assist DHS in remedying the\n                             de\xef\xac\x81ciencies identi\xef\xac\x81ed. Speci\xef\xac\x81cally, the CIO should:\n\n                                   \xe2\x80\xa2     Update the DHS Sensitive Systems Handbook (DHS Handbook) to\n                                         include implementation procedures and con\xef\xac\x81guration settings for remote\n                                         access to DHS systems.\n\n                                   \xe2\x80\xa2     Ensure that procedures for granting, monitoring, and removing user\n                                         access are fully implemented.\n\n                                   \xe2\x80\xa2     Ensure that all necessary system and application patches are applied in a\n                                         timely manner.\n\n\n4\n A patch, also known as a \xe2\x80\x9chot\xef\xac\x81x\xe2\x80\x9d or \xe2\x80\x9cservice pack,\xe2\x80\x9d is a piece of software published by the manufacturer of a software application to\ncorrect errors or bugs in the software.\n\n\nPage 4                                            DHS Needs to Strengthen Controls For Remote Access\n\x0c             In response to our draft report, the DHS CIO concurred with our\n             recommendations and stated that many of them have been incorporated into\n             DHS\xe2\x80\x99 planning and are now re\xef\xac\x82ected in the Department\xe2\x80\x99s program objectives\n             and milestones. DHS\xe2\x80\x99 response is summarized and evaluated in the body of this\n             report and included, in its entirety, as Appendix B.\n\nBackground\n             Within DHS remote access provides trusted computer users access to DHS\n             networks by dialing in via modem or via the Internet. There are numerous\n             advantages associated with the use of remote access. For example, remote access:\n\n                 \xe2\x80\xa2    Allows employees to have \xef\xac\x82exible work schedules.\n\n                 \xe2\x80\xa2    Provides teleworkers or employees on travel the ability to access the\n                      network and resources, such as email messages, \xef\xac\x81les, databases, and\n                      applications.\n\n                 \xe2\x80\xa2    Permits administrators to identify and resolve network or system\n                      problems remotely.\n\n                 \xe2\x80\xa2    Increases employee productivity because of an improved work and\n                      home-life balance.\n\n                 \xe2\x80\xa2    Reduces operational overhead such as of\xef\xac\x81ce space, infrastructure costs,\n                      and less sick leave.\n\n                 \xe2\x80\xa2    Reduces traf\xef\xac\x81c congestion and commuting times.\n\n                 \xe2\x80\xa2    Provides more job opportunities and lessens the commute for\n                      disadvantaged workers.\n\n             While there are several advantages associated with providing DHS employees\n             remote access, there are also numerous security concerns related to granting\n             and maintaining remote access to government systems and resources. High-\n             speed internet access technologies, such as cable modems, digital subscriber\n             lines, satellites, and wireless devices, allow for increased transmission speed and\n             bandwidth. These technologies make it easier for remote users to access and\n             transfer large amounts of data, and allow users to be online for longer periods.\n\n\n\n             DHS Needs to Strengthen Controls For Remote Access                            Page 5\n\x0c                             However, these technologies also increase the risk that unauthorized users will\n                             gain access to DHS systems and resources.\n\n                             The Federal Information Security Management Act (FISMA) of 2002,5 requires\n                             each agency to develop, document, and implement an agency-wide information\n                             security program to provide security for the information and information systems\n                             that support the operation and assets of the agency. Agency policies should ensure\n                             that information security is addressed throughout the life-cycle of each agency\n                             information system and prescribe minimally acceptable system con\xef\xac\x81guration\n                             requirements.\n\n                             DHS Sensitive Systems Policy Publication 4300A addresses access controls,\n                             including remote access and dial-in capabilities. The policy requires that DHS\n                             components ensure that strong authentication and access controls are implemented\n                             for remote access. The department developed the DHS Handbook to provide\n                             components with speci\xef\xac\x81c techniques and procedures for implementing the\n                             requirements of this policy.\n\n\nFindings\n\n    Remote Access Security Procedures Have Not Been Fully Developed\n    And Implemented\n                             DHS has not developed and implemented the security procedures necessary to\n                             control remote access to its networks adequately and effectively. While DHS\n                             has established a policy governing remote access and has developed procedures\n                             for user administration,6 these guidelines have not been fully implemented by the\n                             components.7 Further, DHS has not established implementation and con\xef\xac\x81guration\n                             guidelines for the hosts providing remote access to its networks. As a result, there\n                             is greater risk that the controls implemented to protect DHS networks may not\n                             prevent unauthorized access to the department\xe2\x80\x99s systems and data.\n\n\n5\n  Title III, E-Government Act of 2002, P.L. 107-347, December 17, 2002.\n6\n  According to National Institute of Standards and Technology Special Publication 800-14, user administration incorporates: (1) user\naccount management, including processes for requesting, establishing, issuing, and closing user accounts; tracking users and their\nrespective access authorizations; and managing these functions; (2) audit and management reviews of user account management; and,\n(3) the timely modi\xef\xac\x81cation or removal of access.\n7\n  See Appendix C for a detailed description of recommended procedures for user administration, including granting, monitoring, and\nremoving user access.\n\n\nPage 6                                            DHS Needs to Strengthen Controls For Remote Access\n\x0c                             Remote Access User Administration Needs Improvement\n\n                             Although DHS has developed procedures for granting, monitoring, and removing\n                             user access, these guidelines have not been implemented fully by the components.\n                             Speci\xef\xac\x81cally:\n\n                                   \xe2\x80\xa2\n\n                                                                                          said that they had not\n                                        implemented effective exit procedures to ensure that access is removed\n                                        in a timely manner upon employee separation or transfer. DHS policy\n                                        requires that components implement procedures to ensure system access\n                                        is revoked for employees or contractors who either leave DHS or are\n                                        reassigned to other duties. In addition, the National Institute of Standards\n                                        and Technology (NIST) Special Publication (SP) 800-14 requires that\n                                        a standard set of processes be implemented governing friendly and\n                                        unfriendly8 termination, including removal of access privileges, computer\n                                        accounts, and authentication tokens.9 Additionally, the U.S. Government\n                                        Accountability Of\xef\xac\x81ce\xe2\x80\x99s (GAO) Federal Information System Controls\n                                        Audit Manual (FISCAM) requires that exit processes ensure that security\n                                        management is noti\xef\xac\x81ed immediately of terminations and that access to\n                                        the entity\xe2\x80\x99s resources and facilities, including passwords, is promptly\n                                        removed.\n\n                                   \xe2\x80\xa2                                         had not implemented procedures to\n                                        review audit trails periodically or logs of remote access activity and\n                                        documenting the completion of such reviews. In addition, though\n                                        of\xef\xac\x81cials from\n\n                                                    that they conducted periodic reviews, of\xef\xac\x81cials from these\n                                        components said that they did not document the completion of these\n                                        activities. According to NIST SP 800-14, audit trails should be reviewed\n                                        periodically to provide individual accountability, reconstruction of\n                                        events, intrusion detection, and problem identi\xef\xac\x81cation. Further, the\n\n8\n  NIST SP 800-12 de\xef\xac\x81nes friendly termination as the removal of an employee from the organization when there is no reason to believe that\nthe termination is other than mutually acceptable. Unfriendly termination is de\xef\xac\x81ned as the removal of an employee under involuntary or\nadverse conditions. NIST recommends that separate processes be developed for handling friendly and unfriendly terminations, including\nadditional security controls to prevent adverse events in the cases of unfriendly terminations.\n9\n  An authentication token is an object that a user possesses for the purpose of identi\xef\xac\x81cation and authentication. Tokens can be divided\ninto two categories: memory tokens such as bank or credit cards, which store information; and smart tokens such as Smart Cards, which\ncontain integrated circuits.\n\n\n                              DHS Needs to Strengthen Controls For Remote Access                                                Page 7\n\x0c                 DHS Handbook requires information systems security of\xef\xac\x81cers (ISSO)\n                 to review audit trails at least once per week or according to the system\xe2\x80\x99s\n                 security plan.\n\n             \xe2\x80\xa2\n\n\n\n\n                                                                     According to NIST\n                 SP 800-12, application managers or data owners should review each\n                 user\xe2\x80\x99s access level every month and sign a formal access approval list to\n                 provide a written record of authorization. In addition, FISCAM requires\n                 that system owners periodically review access authorization listings\n                 and determine whether they remain appropriate. The DHS Handbook\n                 requires that system managers or owners revalidate all accounts at least\n                 annually.\n\n         According to DHS of\xef\xac\x81cials, some of the user administration procedures noted\n         above had not been implemented because the components were still developing\n         auditing and management review processes, or waiting to obtain automated tools\n         that would assist them in performing user administration functions.\n\n         DHS Has Not Issued Detailed Remote Access Con\xef\xac\x81guration Guidance\n\n         DHS has not established detailed implementation and con\xef\xac\x81guration procedures\n         to ensure that remote access hosts provide strong protection against unauthorized\n         access. The department plans to include detailed guidance in the DHS Handbook\n         for the employment of remote access devices, user responsibilities, operating\n         procedures, and other information pertaining to remote access administration.\n         This section of the DHS Handbook has not been completed; however, DHS is\n         still negotiating with its components to ensure that the minimum implementation\n         requirements established in the guidelines are feasible.\n\n         FISMA requires federal agencies to develop and maintain information\n         security policies, procedures, and control techniques to address all applicable\n         requirements. Further, FISMA requires federal agencies to develop, document,\n         and implement policies and procedures that ensure compliance with the minimally\n         acceptable system con\xef\xac\x81guration requirements determined by the agency.\n\nPage 8                  DHS Needs to Strengthen Controls For Remote Access\n\x0c                              Until effective user administration and remote access con\xef\xac\x81guration procedures\n                              are established, DHS is at increased risk that remote access may not be adequately\n                              controlled and remote access devices may not be appropriately con\xef\xac\x81gured. As a\n                              result, the risks associated with providing remote access to DHS networks may\n                              not be adequately addressed.\n\n     Remote Access Hosts Are Vulnerable\n                              DHS has not established effective system controls on remote access hosts. To\n                              assess the security of remote access to DHS networks, we: (1) performed\n                              vulnerability assessment scans to identify con\xef\xac\x81guration weaknesses and\n                              vulnerabilities on the hosts providing remote access capabilities;10 (2) analyzed\n                              account policy settings11 to verify that remote access hosts were properly\n                              con\xef\xac\x81gured; (3) conducted password strength analyses to determine whether the\n                              use of strong passwords was enforced; and, (4) performed modem discovery tests\n                              to locate any unauthorized modems operating on DHS networks. In assessing the\n                              effectiveness of remote access controls, we identi\xef\xac\x81ed several problems related to\n                              remote access host con\xef\xac\x81gurations, system patching, and the control of modems.\n                              These control weaknesses could provide an attacker with the ability to gain\n                              inappropriate access to DHS information systems and resources.\n\n                              Remote Access Hosts Were Not Appropriately Con\xef\xac\x81gured\n\n                              Many of the hosts that we tested were not con\xef\xac\x81gured to protect against\n                              unauthorized access. Speci\xef\xac\x81cally:\n\n                                    \xe2\x80\xa2     DHS components did not enforce strong identi\xef\xac\x81cation or authentication\n                                          measures according to DHS requirements, NIST guidelines, and National\n                                          Security Agency (NSA) recommendations. For each network reviewed,\n                                          we sampled a single remote access domain and tested for appropriate\n                                          account policy parameter settings. With the exception of DHS\n                                          management, each component had weak or inappropriate con\xef\xac\x81guration\n                                          settings:12\n10\n   The tested hosts included Microsoft Windows NT and Windows 2000 domain controllers, Microsoft Exchange Servers, Cisco Systems\nAccess Servers, and virtual private network concentrators.\n11\n   Account policy settings are a series of system security con\xef\xac\x81gurations that control almost every aspect of user passwords, including initial\ncreation of the password, changing the password, and forgotten passwords. The account policy section is broken down into three different\ncategories: (1) Password Policy, which con\xef\xac\x81gures the password itself, with regard to validity period, length of password, and complexity\nof the password; (2) Account Lockout policy, which con\xef\xac\x81gures how the password will react when users fail to input their correct password\nmultiple times; and (3) Kerberos Policy, which controls the Kerberos ticketing for domain communications.\n12\n   See Appendix D for a detailed description of the parameter settings identi\xef\xac\x81ed at each component, along with a discussion of the risks\nassociated with the use of those parameter settings.\n\n\n                               DHS Needs to Strengthen Controls For Remote Access                                                     Page 9\n\x0c                                          Further,                                   had several high and medium\n                                          risk vulnerabilities relating to account and password administration.\n                                          These vulnerabilities included:\n\n                                          -- Administrator, user, and guest accounts with no password required.\n                                          -- An administrator account with a password that was the same as the\n                                             user identi\xef\xac\x81cation (ID).\n                                          -- Accounts with blank passwords.\n                                          -- User accounts assigned inappropriate systems privileges that could\n                                             be used to access or modify any \xef\xac\x81le on the system.\n\n                                          The absence of adequate identi\xef\xac\x81cation and authentication controls\n                                          enabled users and administrators to create weak passwords on devices\n                                          providing remote access to DHS networks. To determine the extent of\n                                          the use of weak passwords, we sampled a single remote access domain\n                                          at each component and ran user information, dictionary, and hybrid\n                                          dictionary attacks14 to identify accounts with weak or missing passwords.\n\n13\n   DHS has also established con\xef\xac\x81guration guidelines for password reuse. However, these guidelines differ from the NIST and NSA\nrecommendations (See Appendix D for a comparison).\n14\n   In a user information attack, the password cracking software encrypts, i.e., hashes, data from each account\xe2\x80\x99s password \xef\xac\x81eld, such as the\naccount\xe2\x80\x99s user ID, and compares it to the password to determine whether any of the accounts have a password based on this information.\nIn a dictionary attack, the password cracking software encrypts all the words in a dictionary \xef\xac\x81le and compares every result with the\npassword hash to determine whether there are any matches. In a third type of attack, known as a hybrid dictionary attack, numbers or\nsymbols are appended to each word in the dictionary \xef\xac\x81le.\n\n\nPage 10                                            DHS Needs to Strengthen Controls For Remote Access\n\x0c                                           Next, we analyzed the test results to identify accounts with passwords\n                                           that did not comply with DHS, NIST, and NSA password complexity\n                                           requirements. Each of the components had a signi\xef\xac\x81cant number of\n                                           accounts with weak passwords.\n\n\n\n\n                                           The following table details the password test results for each of the\n                                           components.\n\n\n                Table 1: Results Of Password Strength Analysis On Remote Access Domains\n                                                                          Passwords Cracked                   Cracked passwords not\n                                           Accounts with             (Number and Percent of total)            meeting DHS guidelines\n                           Number of       No Password                                                            and NIST/NSA\n      Component                                                User Info/      Hybrid\n                           Accounts         (Number and                                                       recommended settings\n                            Tested         Percent of total)   Dictionary     Dictionary         Total           (Number and Percent\n                                                                 Attack         Attack                                of total)\n                                                 23                61            523             584\n                              6,579                                                                                  461 (7.01%)\n                                              (0.35%)           (0.93%)        (7.95%)         (8.88%)\n                                                  8               981                            981\n                             41,486                                             N/A(a)                             939 (2.26%)(a)\n                                              (0.02%)           (2.36%)                       (2.36%)(a)\n                                                  0               837            819             1,656\n                              4,532                                                                                1,605 (35.41%)\n                                                (0%)           (18.47%)       (18.07%)         (36.54%)\n                                                 34               714           4,032           4,746\n                             58,287                                                                                 4,451 (7.64%)\n                                              (0.06%)           (1.22%)        (6.92%)         (8.14%)\n      (a)\n            Due to a technical problem involving the password auditing software and the \xef\xac\x81le obtained from           for testing, we were\n            not able to complete the hybrid dictionary attack portion of the password strength analysis for this component. Thus, the\n            \xef\xac\x81gures presented above for         are for the dictionary and user information attacks only.\n\n\n                                            DHS policy requires that system ISSOs determine and enforce\n                                            appropriate measures to ensure that strong passwords are used. Further,\n                                            the DHS Handbook and NIST SP 800-18 require that passwords contain\n                                            a combination of alphabetic, numeric, and special characters. According\n                                            to NSA, passwords should also contain upper and lowercase characters.\n\n                                      \xe2\x80\xa2    DHS components did not properly con\xef\xac\x81gure remote access hosts.16\n                                           For example, the remote access hosts had the following con\xef\xac\x81guration\n\n15\n\n\n16\n   See Appendix E for a detailed description of the vulnerabilities identi\xef\xac\x81ed at each component, including those related to con\xef\xac\x81guration\nweaknesses and those resulting from missing or inappropriately applied system patches.\n\n\n\n                                DHS Needs to Strengthen Controls For Remote Access                                                    Page 11\n\x0c                                           weaknesses that could allow attackers to gain valuable information or\n                                           compromise the integrity of the system:\n\n\n\n\n                                           Table 2 illustrates the number of hosts, by component, that contained\n                                           con\xef\xac\x81guration weaknesses.\n\n\n                                                     Table 2: Con\xef\xac\x81guration Weaknesses Identi\xef\xac\x81ed\n                               Number             Number of Hosts with High or Medium Risk Con\xef\xac\x81guration Weaknesses\n          Component            of Hosts\n                                                  1                 2                 3              4 or More        Total With 1 or\n                               Tested(a)\n                                               Weakness         Weaknesses        Weaknesses        Weaknesses       More Weaknesses\n                                                                   3 Hosts                            3 Hosts             6 Hosts\n                                  10                0                                   0\n                                                                    (30%)                              (30%)               (60%)\n                                                 1 Host                              2 Hosts          4 Hosts             7 Hosts\n                                  14                                  0\n                                                  (7%)                                (14%)            (29%)               (50%)\n                                                 1 Host                                               3 Hosts             4 Hosts\n                                  11                                  0                 0\n                                                  (9%)                                                 (27%)               (36%)\n                                                                   4 Hosts                            2 Hosts             6 Hosts\n                                  18                0                                   0\n                                                                    (22%)                              (11%)               (33%)\n          (a)\n                For each network reviewed, we selected a remote access domain and conducted vulnerability scans on each of the hosts in\n                the domain.\n\n\n                               Because of weak account policy settings, passwords, and remote access host\n                               con\xef\xac\x81gurations, there is increased risk that an unauthorized person could obtain\n                               or guess a user ID and password combination to gain access to DHS networks.\n                               Passwords are often the \xef\xac\x81rst lines of defense against hackers or insiders who\n                               may be trying to obtain unauthorized access to a computer system. The use of\n                               weak passwords, combined with inappropriate account policy settings and system\n                               con\xef\xac\x81gurations, might allow unauthorized internal users and external hackers to\n\n\n\nPage 12                                             DHS Needs to Strengthen Controls For Remote Access\n\x0c                             gain access to DHS systems. This is why it is important that DHS components\n                             have strong account policies, passwords, and system con\xef\xac\x81gurations.\n\n                             Component of\xef\xac\x81cials said that several of the account and con\xef\xac\x81guration weaknesses\n                             noted above were the result of changes that occurred during system migrations\n                             and were not subsequently corrected. In addition, according to a\n                                                    the creation of strong passwords had not been enforced on\n                             its network because of the likelihood that users would write down their passwords\n                             in an accessible place, which may lead to password compromise. However,\n                             security training and enforcement can decrease the risk of users\xe2\x80\x99 writing down\n                             their passwords in accessible locations.\n\n                             System and Application Patches Were Not Applied\n\n                             Hosts providing remote access capabilities to DHS systems and data were not\n                             appropriately patched. Remote access hosts at each component were vulnerable\n                             to buffer over\xef\xac\x82ow attacks17 or other exploits due to missing or inappropriately\n                             applied security patches.18 Speci\xef\xac\x81cally, according to our tests:\n\n\n\n\n                             According to NIST SP 800-40, patching is critical to the operational availability,\n                             con\xef\xac\x81dentiality, and integrity of information technology systems. Organizations\n                             should establish a systematic, accountable, and documented process for handling\n                             patches. DHS remote access hosts were highly vulnerable to attacks because\n\n\n17\n   A buffer over\xef\xac\x82ow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended\nto hold. Since buffers are created to contain a \xef\xac\x81nite amount of data, the extra information can over\xef\xac\x82ow into adjacent buffers, corrupting\nor overwriting the valid data held in them. Attackers can use this vulnerability to replace valid data on the system with their own code and\ncause the system to fail or to execute their instructions.\n18\n   See Appendix E for the number of hosts tested and number of vulnerabilities detected at each component.\n\n\n\n                               DHS Needs to Strengthen Controls For Remote Access                                                 Page 13\n\x0c                             they were not appropriately patched. For example, servers at\n                                              were vulnerable to a buffer over\xef\xac\x82ow in the Microsoft Windows\n                             Messenger service.19 By sending a\n\n\n\n\n                             Subsequent to the completion of our audit work, of\xef\xac\x81cials from each of the\n                             components said that they had taken or planned to take corrective action to\n                             address many of the account policy, password, con\xef\xac\x81guration, and patch issues that\n                             we identi\xef\xac\x81ed. However, we did not verify that these problems had been solved.\n\n                             Modems On DHS Networks May Increase Risk Of Unauthorized Access\n\n                             We detected possible unauthorized modems operating on DHS networks. During\n                             our modem discovery tests, we identi\xef\xac\x81ed modems on the analog lines of DHS\n                             Management, EP&R, CIS, and ICE. DHS Management and EP&R provided us\n                             with information regarding the mission requirement for each of the modems that\n                             we detected on their networks or phone lines, along with some of the controls\n                             implemented to reduce the risks associated with their use.\n\n                             According to an ICE of\xef\xac\x81cial, CIS and ICE were in the process of investigating\n                             20 modems that we identi\xef\xac\x81ed, but they were not able to provide a business\n                             justi\xef\xac\x81cation for 18 of them. They were not able to provide a timely response,\n                             according to an ICE of\xef\xac\x81cial, due in part to inaccuracies in the CIS and ICE\n                             database of telecommunications management information.\n\n                             An unsecured modem or other dial-in facility could provide a backdoor for\n                             internal and external unauthorized users to DHS networks. According to\n                             FISCAM, dial-in access can signi\xef\xac\x81cantly increase the risk of unauthorized access,\n                             and its use should be limited and the associated risks weighed against the bene\xef\xac\x81ts.\n                             Justi\xef\xac\x81cation for such access should be documented and approved by system\n                             owners.\n\n\n\n\n19\n   The Windows Messenger service transmits messages between client computers and servers on a network. For example, network\nadministrators can use the Messenger service to send administrative alerts to network users, or it can be used by Windows to inform users\nwhen a print job has been completed.\n\n\nPage 14                                           DHS Needs to Strengthen Controls For Remote Access\n\x0c  Miscellaneous Issue\n              CIS Needs To Monitor Systems Security Functions\n\n              CIS does not monitor suf\xef\xac\x81ciently the security activities performed by ICE\n              personnel on the systems and data supporting CIS operations. CIS and ICE\n              were part of the former Immigration and Naturalization Service and continue\n              to share the same network infrastructure, which is managed by ICE. However,\n              CIS does not have a process to verify that ICE information technology staff is\n              performing necessary security or user administration functions for CIS systems\n              and personnel. Further, ICE of\xef\xac\x81cials were not able to determine whether users\n              granted remote access to the network were CIS or ICE personnel based on system\n              records. According to CIS and ICE of\xef\xac\x81cials, effective CIS oversight has not been\n              established because the components have not completed a formal memorandum of\n              agreement concerning their respective responsibilities.\n\n              FISMA requires that senior agency of\xef\xac\x81cials provide security for the information\n              and information systems that support the operations and assets under their control.\n              Without an established process to monitor the quality of user administration\n              performed by ICE of\xef\xac\x81cials, CIS lacks assurance that suf\xef\xac\x81cient security is\n              provided for the systems and data supporting its operations.\n\nRecommendations\n              To enhance DHS\xe2\x80\x99 guidance for remote access implementation, we recommend\n              that the CIO:\n\n                   1.   Update the DHS Sensitive Systems Handbook to include implementation\n                        and con\xef\xac\x81guration procedures for remote access to DHS systems.\n\n              To protect remote access to DHS networks effectively, we recommend that the\n              CIO:\n\n                   2.   Ensure that procedures for granting, monitoring, and removing user\n                        access are fully implemented according to DHS requirements, as well as\n                        NIST and FISCAM guidelines.\n\n                   3.   Verify that all necessary system and application patches are applied in a\n                        timely manner to reduce the risk of system compromise or failure.\n\n\n\n               DHS Needs to Strengthen Controls For Remote Access                          Page 15\n\x0cManagement Comments and Our Evaluation\n             We obtained written comments on a draft of this report from DHS. We have\n             incorporated the comments where appropriate and included a copy of the\n             comments in their entirety as Appendix B. DHS generally agreed with each\n             of our recommendations. Below is a summary of DHS\xe2\x80\x99 response to each\n             recommendation and our assessment of the response.\n\n             Recommendation 1: Update the DHS Sensitive Systems Handbook to include\n             implementation and con\xef\xac\x81guration procedures for remote access to DHS\n             systems.\n\n             DHS plans to update the DHS Sensitive Systems Handbook with minimum\n             requirements and con\xef\xac\x81guration guidance by February 2005. It is not DHS\xe2\x80\x99 intent\n             to issue \xe2\x80\x9cone size \xef\xac\x81ts all\xe2\x80\x9d procedures for the entire department. DHS agreed that\n             exit procedures need to be clear and adhered to and access permissions should\n             be periodically revalidated, but said that regular reviews of audit logs were not\n             feasible due to the volumes of audit data and the lack of audit reduction tools.\n\n             We accept DHS\xe2\x80\x99 response to update the DHS Sensitive Systems Handbook with\n             minimum requirements and con\xef\xac\x81guration guidance. We do not agree that our\n             \xef\xac\x81ndings and recommendations imply that DHS must establish \xe2\x80\x9cone size \xef\xac\x81ts\n             all\xe2\x80\x9d procedures for remote access. We maintain that procedures for granting,\n             monitoring, and removing user access must be enforced; and the Department\n             must establish con\xef\xac\x81guration guidelines for the hosts providing remote access\n             to its networks. In addition, we also maintain that DHS should enforce the\n             requirements outlined in the DHS Sensitive Systems Handbook for regular\n             reviews of audit logs. As noted in the GAO FISCAM, security software should\n             be implemented to analyze audit trail information and selectively identify\n             unauthorized, unusual, and sensitive access activity.\n\n             Recommendation 2: Ensure that procedures for granting, monitoring, and\n             removing user access are fully implemented according to DHS requirements,\n             as well as NIST and FISCAM guidelines.\n\n             DHS will continue to work to enforce DHS requirements and, where appropriate,\n             NIST and FISCAM guidelines. DHS also plans to reduce its reliance on\n             passwords and move to stronger authentication technologies. However, where\n             the use of passwords is still necessary, DHS policy requires the use of strong\n             password controls, including strict limits on the number of failed logon attempts.\n\n\nPage 16                     DHS Needs to Strengthen Controls For Remote Access\n\x0cWe accept DHS\xe2\x80\x99 response to move toward stronger authentication technologies.\nNonetheless, many of the hosts we tested were not con\xef\xac\x81gured in accordance with\nDHS requirements and had weak passwords and password controls, including\nhosts that allowed an unlimited or excessive number of failed logon attempts.\nUntil stronger authentication technologies are employed and as long as passwords\nare used as an identi\xef\xac\x81cation and authentication mechanism at DHS, strong\npassword controls must be enforced on DHS systems.\n\nRecommendation 3: Verify that all necessary system and application patches\nare applied in a timely manner to reduce the risk of system compromise or\nfailure.\n\nDHS indicated that it will continue to strengthen its patch management. DHS also\nnoted that implementation of some of the patches was delayed so that the impact\non their systems could be tested.\n\nWe accept DHS\xe2\x80\x99 response to continue to strengthen its efforts for effective patch\nmanagement. We agree that it is important to test the impact of system and\napplication patches prior to their implementation. However, we identi\xef\xac\x81ed security\npatches that the vendor released over six months before our review that had not\nyet been implemented on some DHS systems. In addition, one host was missing\npatches that were released in 1999 and 2000.\n\n\n\n\nDHS Needs to Strengthen Controls For Remote Access                       Page 17\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\nPurpose, Scope, and Methodology\n                    The objective of this audit was to determine whether DHS had provided system\n                    security, integrity, and control over remote access to its computer systems and\n                    data. Speci\xef\xac\x81cally, we determined whether: (1) DHS developed adequate security\n                    policies and procedures to grant and control remote access to system resources,\n                    including the administration, con\xef\xac\x81guration, and use of remote access paths to\n                    networks; and, (2) security controls were properly con\xef\xac\x81gured on applications\n                    and systems providing remote access. For some controls, we determined their\n                    adequacy, but we did not test their effectiveness. Our focus was on testing the\n                    implementation of secure con\xef\xac\x81gurations on the hosts controlling remote access to\n                    DHS networks.\n\n                    The audit focused on wire-based remote access to DHS systems and resources,\n                    including dial-in access through modems and access through the internet. We\n                    did not examine wireless remote access, including satellite and microwave-based\n                    access, during this audit. We conducted \xef\xac\x81eldwork at the following locations:\n\n                        \xe2\x80\xa2   DHS Management\n                        \xe2\x80\xa2   Emergency Preparedness and Response (EP&R)\n                        \xe2\x80\xa2   Bureau of Citizenship and Immigration Services (CIS)\n                        \xe2\x80\xa2   Bureau of Immigration and Customs Enforcement (ICE)\n                        \xe2\x80\xa2   Transportation Security Administration (TSA)\n\n                    During the audit, we used three software tools to conduct internal and external\n                    security tests to evaluate the effectiveness of controls implemented for remote\n                    access. NIST SP 800-42 identi\xef\xac\x81es the following as common testing tools:\n\n                        \xe2\x80\xa2   Internet Security Systems\xe2\x80\x99 (ISS) Internet Scanner 7.0, which is a\n                            component of the ISS Dynamic Threat Protection platform, was used to\n                            detect and analyze vulnerabilities on DHS systems, including servers and\n                            infrastructure devices.\n                        \xe2\x80\xa2   @stake\xe2\x80\x99s L0phtCrack 5.02, which is a password auditing and recovery\n                            application, was used to analyze passwords that control remote access to\n                            DHS systems and resources. We analyzed encrypted system passwords\n                            to test for compliance with agency password policies or security best\n                            practices.\n                        \xe2\x80\xa2   Sandstorm Enterprises\xe2\x80\x99 PhoneSweep 4.0, which is a telephone\n                            scanner, was used for modem discovery and analysis, also known as\n\n\n\n\nPage 18                            DHS Needs to Strengthen Controls For Remote Access\n\x0c                                                                                        Appendix A\n                                                                                        Purpose, Scope, and Methodology\n\n\n\n                                        \xe2\x80\x9cwar dialing.\xe2\x80\x9d20 PhoneSweep was used to dial a range of numbers,\n                                        provided by the selected components, to identify modems and computers\n                                        running remote access software to bypass the corporate \xef\xac\x81rewall. Once\n                                        an active modem was identi\xef\xac\x81ed, we did not use PhoneSweep to establish\n                                        a connection with the modem using standard user ID and password\n                                        combinations.\n\n                            Before the creation of DHS, both CIS and ICE were part of the former\n                            Immigration and Naturalization Service; these components continue to share the\n                            same infrastructure, which is managed by ICE. As a result, the technical scans\n                            for CIS and ICE were combined. Upon completion of testing, we provided each\n                            component the technical reports detailing the speci\xef\xac\x81c vulnerabilities detected on\n                            their networks and the actions needed for remediation.\n\n                            We conducted our audit between April and August 2004 under the authority of the\n                            Inspector General Act of 1978, as amended, and according to generally accepted\n                            government auditing standards. Major OIG contributors to the audit are identi\xef\xac\x81ed\n                            in Appendix F.\n\n                            The principal OIG points of contact for the audit are Frank Deffer, Assistant\n                            Inspector General for Information Technology Audits, at (202) 254-4100; and\n                            Edward G. Coleman, Director, Information Security Audit Division,\n                            at (202) 254-5444.\n\n\n\n\n20\n   Also synonymous with demon dialing, is a technique by which a computer would repeatedly dial a large number of telephone numbers to\n\xef\xac\x81nd test tones, computers, voice mailboxes, private branch exchanges, and government of\xef\xac\x81ces.\n\n\n\n                             DHS Needs to Strengthen Controls For Remote Access                                              Page 19\n\x0cAppendix B\nManagement\xe2\x80\x99s Response\n\n\n\n\nPage 20                 DHS Needs to Strengthen Controls For Remote Access\n\x0c                                                     Appendix B\n                                                     Management\xe2\x80\x99s Response\n\n\n\n\nDHS Needs to Strengthen Controls For Remote Access                  Page 21\n\x0cPage 22\n                                                     The following user administration functions should be performed, based on NIST SP 800-12 recommendations and GAO FISCAM guidelines. Different personnel, based on\n                                                                                                                                                                                                                                                                                           Appendix C\n\n\n                                                     the needs of the organization, can perform several of the functions listed below. For more information, please see NIST SP 800-12, An Introduction to Computer Security:\n                                                     The NIST Handbook, and the FISCAM.\n                                                        I. Account Creation                                                                                                                                                                                      (5) Account\n                                                                                                                                                                                                                                                                 information is\n                                                                                                                                                                                                                               Account Information               transmitted to user\n                                                                                  Request for Access                              Access Approval                           Access Approval\n                                                                                                                                                                                                          System              Transmit securely\n                                                                                                                                Maintain approved                                                       Administrator\n                                                                                                                   System       access requests on file      Security                                (4) System\n                                                                                                                   Owner\n                                                                                                                                                             Manager                                 Administrator creates\n                                                                                                                                                                                                                                                                                           User Administration Processes\n\n\n\n\n                                                                                                                                                                                                                                                                      User\n                                                                User\xe2\x80\x99s                                       (2) System Owner                                                                        account\n                                                                                  Use standardized                                                         (3) Security\n                                                              Supervisor                                     reviews and\n                                                                                  forms, and the request                                                   Manager reviews\n                                                                                                             approves access\n                                                            (1) Supervisor        should include the                                                       approvals for                                            Security training should be provided to\n                                                            requests access       level of access needed                                                   questionable access                                      each user and a Rules of Behavior             R.O.B. Doc.\n                                                                                                                                                                                                                    document completed and maintained on\n                                                                                                                                                                                                                    file\n\n                                                       II. Account Removal                                                                                                                                                Note: Separate processes should be established for\n                                                                                                                                                                                                                          friendly, i.e., mutually acceptable, and unfriendly\n                                                                                                                                  Access Removal Request                                                                  employee separations, including additional security\n                                                                           Access Removal Request                                                                                                                         precautions to prevent adverse events in the case of\n                                                                                                                                                                                   System\n                                                                                                                    System                                                       Administrator                            unfriendly terminations.\n                                                                                                                    Owner                                                  (3) System\n                                                                                                               (2a) System Owner                                           Administrator disables\n                                                         User\xe2\x80\x99s                                                records access                                              or deletes account\n                                                       Supervisor                                              change and notifies\n                                                      (1) Supervisor                                           systems office                                                                          (4) User completes\n                                                                                                                                                              (2b) Security Manager                    exit checklist\n                                                      notifies that\n                                                                                                                                                              notified immediately,\n                                                      access is no\n                                                                                                                                                              either by the personnel\n                                                      longer needed                                    Employee Departures                      Security      office or by others                                                    Exit Checklist        Exit checklist must be\n                                                                                                                                                Manager\n                                                                                                                                                                                                                                                           initialed by each\n                                                                                  Personnel                                                                                                                                                                relevant functional\n                                                                                                                                    Exit Checklist\n                                                                                   Office                                                                                                                    User                                          manager\n\n\n                                                        III. Account Review                                                                                                                                                                                       (d) Audit trail\n                                                                                                                                                                                                                                                                  information should be\n\n\n\n\nDHS Needs to Strengthen Controls For Remote Access\n                                                                                              Employee Departures                                         Access List                                                                                             used to detect\n                                                                                                                                                                                                   Access Approval List\n                                                                                                                                                                                                                                                                  unauthorized, unusual,\n                                                                                              (a) Personnel                                                                                                                                                       or sensitive access.\n                                                                                                                                  System                                                         (c) System Owners review all\n                                                                                              Office routinely                                                                                                                                                    Audit trails should be\n                                                                                                                                Administrator                                     System         access levels for each user every\n                                                                                              notifies Systems                                                                                                                                                    reviewed regularly and\n                                                                                              Office of employee                                                                  Owner          month and sign an access\n                                                                              Personnel                                      (b) Systems Office reviews and                                                                                           Security    suspected violations\n                                                                                              departures to                                                                                      approval list\n                                                                               Office                                        disables inactive accounts after a                                                                                       Manager     investigated.\n                                                                                              verify that access             set period of inactivity, e.g., 90\n                                                                                              has been removed               days\n\x0c                                                                                                    Appendix D\n                                                                                                    Account Policy Settings\n\n\n\n                  Risk Associated     NIST and NSA                                               Actual Setting\n                                                          DHS Required\nParameter            with Weak        Recommended\n                                                            Setting\n                   Policy Setting        Setting\n\nMaximum\npassword age:\nThe period        Limiting\nof time that a    password life\nuser is allowed   reduces the                              Less than 90                    Passwords      Passwords\n                                      Less than 90 days                       90 days                                     45 days\nto have a         likelihood of                               days                        never expire   never expire\npassword          unauthorized\nbefore being      access\nrequired to\nchange it.\n\nMinimum           If changes\npassword age:     are allowed\nSpeci\xef\xac\x81es how      immediately,\nlong a user       a user could\n                                                                                            Changes        Changes        Changes\nmust wait         change their\n                                        At least 1 day     At least 1 day     14 days       allowed        allowed        allowed\nafter changing    password, then\n                                                                                          immediately    immediately    immediately\na password        immediately\nbefore            change it back\nchanging it       to what it was\nagain.            before.\n\nMinimum\n                  Blank                  High risk\npassword\n                  passwords and        environments:\nlength: The\n                  shorter length       12 characters\nminimum                                                                          8\n                  passwords are                            8 characters                   6 characters   5 characters   8 characters\nnumber of                                                                    characters\n                  easily guessed           Other\ncharacters a\n                  by password          environments:\npassword must\n                  cracking tools.       8 characters\ncontain\n\n                  Forcing users\nPassword          to change their\nuniqueness/       passwords\nhistory:          reduces the\nPrevents          likelihood                                  4 to 6            24            5              10            24\n                                        24 passwords\nusers from        that a hacker                             passwords        passwords    passwords      passwords      passwords\ntoggling among    or password\ntheir favorite    cracker will\npasswords         discover\n                  passwords.\n\nAccount lockout\nafter # of bad    Establishing\nlogon attempts:   an account\nSpeci\xef\xac\x81es the      lockout threshold\nnumber of bad     helps prevent            3 invalid          3 invalid      3 invalid    No account      12 invalid     3 invalid\nlogon attempts    password             attempts or less   attempts or less   attempts      lockout        attempts       attempts\nthat can be       cracking or\nmade before       guessing attacks\nan account is     on the system.\nlocked out.\n\n\n\n\n                            DHS Needs to Strengthen Controls For Remote Access                                           Page 23\n\x0cAppendix D\nAccount Policy Settings\n\n\n\n Reset lockout\n                     Setting the\n counter after\n                     number of\n # of minutes:\n                     minutes too low\n Speci\xef\xac\x81es the                               15 minutes or                               15          No account\n                     may reduce the                               Not speci\xef\xac\x81ed                                       30 minutes       15 minutes\n number of                                      more                                  minutes        lockout\n                     effectiveness\n minutes until\n                     of the account\n the bad logon\n                     lockout control\n count is reset.\n\n                     Setting the\n Lockout\n                     number of\n duration: Sets                             15 minutes or\n                     minutes too low\n the number                                 more, but not                               15          No account\n                     may reduce the                                 Forever                                            Forever        15 minutes\n of minutes an                                          (a)                           minutes        lockout\n                     effectiveness            forever\n account will be\n                     of the account\n locked out.\n                     lockout control\n (a)\n       According to NSA, setting the lockout duration to forever may lead to a denial of service attack, i.e., a form of attacking another computer\n       to prevent legitimate users of a system from using the computer or its services.\n\n\n\n\nPage 24                                              DHS Needs to Strengthen Controls For Remote Access\n\x0c                                                                             Number                                              Number of Vulnerabilities Detected(a)\n                                                      Component              of Hosts\n                                                                              Tested                     High Risk                              Medium Risk\n                                                                                                                                                                                 Total\n                                                                                                       Vulnerabilities                         Vulnerabilities\n\n                                                                                 10                            13                                    12                             25\n\n                                                                                 14                            21                                    52                             73\n\n                                                                                 11                             4                                    14                             18\n\n                                                                                 18                             8                                    10                             18\n\n\n\n                                                                             Number                            Number of Hosts with High or Medium Risk Vulnerabilities(a)\n                                                      Component              of Hosts                                           (Number and Percent)\n                                                                              Tested              No                    1                 2                    3        4 or More        Total with 1\n                                                                                              Weaknesses            Weakness          Weaknesses          Weaknesses   Weaknesses          or More\n\n\n\n\n DHS Needs to Strengthen Controls For Remote Access\n                                                                                                   3                    1                                      3            3                 7\n                                                                                 10                                                        0\n                                                                                                (30%)                (10%)                                  (30%)         (30%)             (70%)\n                                                                                                   7                    1                                      1            5                 7\n                                                                                 14                                                        0\n                                                                                                (50%)                 (7%)                                   (7%)         (36%)             (50%)\n                                                                                                   7                                       1                                3                 4\n                                                                                 11                                       0                                      0\n                                                                                                (64%)                                    (9%)                             (27%)             (36%)\n                                                                                                                                                                                                        Appendix E\n\n\n\n\n                                                                                                    11                   1                 4                               2                  7\n                                                                                 18                                                                              0\n                                                                                                  (61%)                (6%)              (22%)                           (11%)              (39%)\n                                                      (a)\n                                                            Includes con\xef\xac\x81guration weaknesses and patch-related vulnerabilities\n                                                                                                                                                                                                        Vulnerabilities Identi\xef\xac\x81ed\n\n\n\n\nPage 25\n\x0cAppendix F\nMajor Contributors to This Report\n\n\n\n                     Information Security Audits Division\n                     Edward G. Coleman, Director\n                     Patrick Nadon, Audit Manager\n                     Chiu-Tong Tsang, Audit Team Leader\n                     Jason Bakelar, Auditor\n                     Pedro Calderon, Auditor\n                     Evan Portelos, Associate\n                     Anthony Nicholson, Referencer\n\n                     Advanced Technology Division\n                     Jim Lantzy, Director\n                     Chris Hablas, Senior Security Engineer\n\n\n\n\nPage 26                             DHS Needs to Strengthen Controls For Remote Access\n\x0c                                                         Appendix G\n                                                         Report Distribution\n\n\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nGeneral Counsel\nUnder Secretary, Management\nDHS OIG Liaison\nDHS Chief Information Security Of\xef\xac\x81cer\nDHS Public Affairs\nCIO Audit Liaison\nDHS Of\xef\xac\x81ce of Security\nDirector, Compliance and Oversight Program, OCIO\n\nOf\xef\xac\x81ce of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nAppropriate Congressional Oversight and Appropriations Committees\n\n\n\n\nDHS Needs to Strengthen Controls For Remote Access                   Page 27\n\x0cPage 28   DHS Needs to Strengthen Controls For Remote Access\n\x0c\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Of\xef\xac\x81ce of Inspector General (OIG) at\n(202) 254-4100, fax your request to (202) 254-4285, or visit the OIG web site at www.\ndhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to department programs or operations, call the OIG\nHotline at 1-800-323-8603; write to Department of Homeland Security, Washington, DC\n20528, Attn: Of\xef\xac\x81ce of Inspector General, Investigations Division \xe2\x80\x93 Hotline. The OIG\nseeks to protect the identity of each writer and caller.\n\x0c'